xred | fdc5bafb82ba9a28c76d7b94f7f80e7ca6c064f6c41e956c8f26f2a45f1f9ce6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Size

17.3MB
MD5

711ddbfbbd4e7e6e8d054371e3607b17
SHA1

e12617062882aaf0dfa9dc1c64085df0e7b6082b
SHA256

fdc5bafb82ba9a28c76d7b94f7f80e7ca6c064f6c41e956c8f26f2a45f1f9ce6
SHA512

c7a84ab16085ec75209443945695f293b0333c9c17d33797afcc278c5c8fe385e1d6a8e0e057e86cbe255147506e1bb133d39377cb2a9f266e43d849fb71d099
SSDEEP

393216:wCcOWJfN7lAshtY7ipVK8I7zIax5RYC2xxPz0MO:ClhFKshtYGpVKbX9ixpPO

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
2912	Synaptics.exe
948	._cache_Synaptics.exe
5028	AIToolkit.exe

Loads dropped DLL 1 IoCs

pid	Process
5028	AIToolkit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AIToolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4284	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4284	EXCEL.EXE
4284	EXCEL.EXE
4284	EXCEL.EXE
4284	EXCEL.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5028	AIToolkit.exe
5028	AIToolkit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4920	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	83
PID 1476 wrote to memory of 4920	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	83
PID 1476 wrote to memory of 4920	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	83
PID 1476 wrote to memory of 2912	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	84
PID 1476 wrote to memory of 2912	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	84
PID 1476 wrote to memory of 2912	1476	2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	84
PID 2912 wrote to memory of 948	2912	Synaptics.exe	85
PID 2912 wrote to memory of 948	2912	Synaptics.exe	85
PID 2912 wrote to memory of 948	2912	Synaptics.exe	85
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86
PID 4920 wrote to memory of 5028	4920	._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\local\stubexe\0x98F77DD3A34F5E0F\AIToolkit.exe
    "C:\Users\Admin\AppData\Local\Temp\local\stubexe\0x98F77DD3A34F5E0F\AIToolkit.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    PID:5028
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:948

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
17.3MB

MD5
711ddbfbbd4e7e6e8d054371e3607b17

SHA1
e12617062882aaf0dfa9dc1c64085df0e7b6082b

SHA256
fdc5bafb82ba9a28c76d7b94f7f80e7ca6c064f6c41e956c8f26f2a45f1f9ce6

SHA512
c7a84ab16085ec75209443945695f293b0333c9c17d33797afcc278c5c8fe385e1d6a8e0e057e86cbe255147506e1bb133d39377cb2a9f266e43d849fb71d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe

Filesize
16.6MB

MD5
c503271792c714ddb48dc57c0f3f1284

SHA1
90ecbf9e4391293ce27889af4b5c1efbab245787

SHA256
5da2144022be29b220d300595056a712d95c7dbddd59bc2575a62fa86cc5f0db

SHA512
35a595a96eb3f1b9c5ff033c4b48bd2fdb4ae9bd8ea1116c23b2284f263d6bb80b286627b9b228fe8574027ea359794031dba1c6717dde33068c4db137e6bcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\local\meta\@APPDATALOCAL@\Temp\AIToolkit.exe.__meta__

Filesize
32B

MD5
39d043628a55a85a8c4b9512106f2c13

SHA1
8ab14657371619f3cf77d62757df4ec05c378d16

SHA256
38f8f84cc65e293ee600180b36d0b8035d3fd14fb31652ea45cf1f83b2715f2c

SHA512
eeacbc9b01f041b9b940cf77eca5f22e14a8a8ea1b5d07e4953693e6443e16ef763f90398299feb057582a72506d90aeb2d972a45580ab30da27422a9f6b0d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\local\modified\@APPDATALOCAL@\Temp\AIToolkit.exe

Filesize
5.1MB

MD5
4d9ed3a8b663a8efa7c28e1212241e6a

SHA1
2d1212099df78f6323f3253b12c316c383a6dbf4

SHA256
c02e2302a69872886b18d85acb914d1376b31f9e80c2dd37f7e962f36212c8c2

SHA512
f77d2e3d9fb8f5ad222e37334a42bf893a16967435b0cc8a0f04dde17d5cf69a69a8ff92d0abccdcf00ae0455897c8dd2c9b06a6c7ff8b42eeb6e6ad6a1b3c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\local\stubexe\0x98F77DD3A34F5E0F\AIToolkit.exe

Filesize
32KB

MD5
7c78cd32d2f5e1ea65e95ec2f560e0bf

SHA1
a728c324ddc795fa1b863eb43f25e1f820acba64

SHA256
3a34a287819689abe2b82f6faf8d1033e3dc306b27781cac87a05c5438465c84

SHA512
dc1b0640cb020374e4a59c314e05da82a55739fe069a371624c0e56d86df291b145f3cb1f68e0508c503c7dce506ffa2966f52f31f391d759badae54c7467915

Download Submit
C:\Users\Admin\AppData\Local\Temp\local\temp\@WINDIR@\XSxS\Manifests\AIToolkit.exe_0x4d9ed3a8b663a8efa7c28e1212241e6a.1.manifest

Filesize
1KB

MD5
435c27f4c465398ce3d80ece542f47d5

SHA1
65296b152b79b2f198efa663dc2f004665c1f362

SHA256
ba8792c35d9de2027b3999e3a012ae03b1ed51ccd5cea5acdd8de279ceb63fed

SHA512
59d499c832f102e78c484bb53fafa56ff4a1463b44274ad1de86c9c65e67a18b6cafcbff23e588bef0fb34996a2c776b1bdf324a3f84f6af7b367ada17b18028

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsandbox.bin

Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz2MSYok.xlsm

Filesize
17KB

MD5
8f3c7fbc1e051b36696dbd67e8ed4249

SHA1
b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

SHA256
8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

SHA512
4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

Download Submit
memory/1476-0-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/1476-116-0x0000000000400000-0x0000000001555000-memory.dmp

Filesize
17.3MB

Download
memory/4920-112-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-129-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-118-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-128-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-104-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-106-0x0000000077253000-0x0000000077254000-memory.dmp

Filesize
4KB

Download
memory/4920-105-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/4920-110-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-109-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-108-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-103-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-192-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-191-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-107-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4920-208-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-207-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-130-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-115-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-224-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-367-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-349-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4920-113-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-347-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-124-0x0000000000AB0000-0x0000000000B29000-memory.dmp

Filesize
484KB

Download
memory/4920-101-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/4920-102-0x0000000001C60000-0x0000000002553000-memory.dmp

Filesize
8.9MB

Download
memory/5028-276-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-272-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-271-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-270-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-267-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/5028-264-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download
memory/5028-273-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-274-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-256-0x0000000001550000-0x00000000015C9000-memory.dmp

Filesize
484KB

Download
memory/5028-244-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-241-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-240-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-239-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-237-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-243-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-242-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-238-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-275-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-277-0x0000000073590000-0x0000000073602000-memory.dmp

Filesize
456KB

Download
memory/5028-246-0x00000000024E0000-0x0000000002DD3000-memory.dmp

Filesize
8.9MB

Download
memory/5028-252-0x0000000001550000-0x00000000015C9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads